VDB
JLSEC-2026-17
JLSEC-2026-17
PUBLISHED
CVSS 9.300000190734863 CRITICAL
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Julia | patch_jll | 0, 0 |
Timeline
- Mar 31, 2026 CVE Published
- Mar 31, 2026 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
References
- http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html url
- https://access.redhat.com/errata/RHSA-2019:2798 url
- https://access.redhat.com/errata/RHSA-2019:2964 url
- https://access.redhat.com/errata/RHSA-2019:3757 url
- https://access.redhat.com/errata/RHSA-2019:3758 url
- https://access.redhat.com/errata/RHSA-2019:4061 url
- https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 url
- https://github.com/irsl/gnu-patch-vulnerabilities url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/ url
- https://seclists.org/bugtraq/2019/Aug/29 url
- https://seclists.org/bugtraq/2019/Jul/54 url
- https://security-tracker.debian.org/tracker/CVE-2019-13638 url
- https://security.gentoo.org/glsa/201908-22 url
- https://security.netapp.com/advisory/ntap-20190828-0001/ url
- https://www.debian.org/security/2019/dsa-4489 url